GAT Shield allows admins to set up a Login Control rule for users of their domain.
By setting up this rule admins can control whether users can log in to their domain or not.
It works by disabling users from logging into your domain at certain times (Login time window from/to) and log-in area.
This type of Login control can be set up from the GAT Shield console.
1. Login control #
Navigate to Shield → Configuration → Login Control
2. Select Filters #
In the Login Control settings pick the Login time window or Login area.
- Login time window – set up a time window where end-users can log in to your domain
- Login area – set up location from where users are allowed only to log in. Logins from outside the chosen location will be blocked
3. Time window #
By selecting the Time window the users will be ALLOWED to log in in the time frame.
The users will be blocked from logging into the domain at times outside of the selected timeframe.
- The daytime selector can be used to select any day and any time in the day when users are allowed to log in.
- Select the ‘ plus +‘ button to add more intervals on that particular day.
- The option to “check against the user’s timezone” can also be toggled to apply the rule according to the local user’s timezone.
4. Login Area #
Select an area, outside of which, Shield devices cannot log in to your domain.
Clicking on the “select area” button will show a Map. In the map choose a location where the logins will be allowed from.
NOTE: The end-users will not be allowed to log in if they are outside of the selected location.
Setting options #
- Idle timeout (s) -A period of idle time (in seconds) after which Shield will log the user’s device out of your domain. Maximum value is 15 minutes / 900 [s].
- ‘Hard’ logout -If this option is not selected, ‘soft logout’ is the default method. The user will just be logged out of the Google domain sessions on the device. If ‘hard logout’ is selected the user will be logged out entirely from the device (Google domain sessions, personal sessions, Chrome, etc.).
- Login allowlist – If blank GAT Shield allows all users to log into your domain from all networks, else only specified, use direct (eg. 72.14.0.154) or network addresses (eg. 64.233.187.99/8). All network addresses must end with a CIDR. Use a semicolon to separate addresses.
Scope – users affected #
- Scope – Rule recipients. If no value is specified, all domain users are affected. If any value is specified, any user who meets the criteria is affected.
Note:
These settings allow you to enforce policies to prevent or allow access to your Google Workspace domain by clients with Shield devices, using a number of criteria.
It may take a while for settings to propagate to all GAT Shield Chrome extensions.
Result #
When the Login control is enabled the rule is applied.
The users won’t be able to log in to the domain – if they are outside of the selected Login Area.
The users will not be able to log in to the domain – if they are outside of the times selected in the Login time window
The users won’t be able to use their domain account.
- Gmail
- Google Drive
- Google classrooms
- Google calendars
- All Google domain account services
Login to Google services has been blocked at this time.
